[Users] Freeswan-1.97: klips_error:ipsec_tunnel_start_xmit: ip_send() failed, err=1

From: Karl-Heinz Reichart (karl-heinz.reichart_at_dacoma.de)
Date: Mon Nov 04 2002 - 15:03:18 CET

• Next message: Leonardo A. de Camargo: "[Users] What to do?"
• Previous message: Fraser Campbell: "Re: [Users] FreeS/WAN detection of modified DNS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello there,

after 1 year running freeswan-1.91 and kernel 2.4.5 we upgraded to freeswan-1.97 and kernel 2.4.18.
In the past all worked fine.

Our network looks like this: SN2
                                                 //
                                                //
          A ===== B ===== Internet ======== TS ======== SN1

A: Rightsubnet

B: Boxrouter (with freeswan)

TS: Tunnelserver (with freeswan-1.97)

SN: Leftsubnet (machines SN1 and SN2)

Problem: Sometimes packets from a machine (for example SN1) don't arrive at the Rightsubnet. But I
can ping another machine A from SN2 and all packets from
           A arrive at SN1. After passing pluto, iptables drops the packets. There are 50 tunnels on
TS and they run fine, but randomly there occurs the problem for 1 or 2
           of them.

In these cases, we get the error message: klips_error:ipsec_tunnel_start_xmit: ip_send() failed, err=1

  From /var/log/messages:

Oct 22 09:17:17 rtr-ts003 Pluto[450]: "rtr-ts003-032" xyz.uvw.rst.opq #209128: sent MR3, ISAKMP SA
established
Oct 22 09:17:17 rtr-ts003 Pluto[450]: Can't Opportunistically initiate for 192.168.10.71 to
10.3.32.170: no Opportunistic template
Oct 22 09:17:17 rtr-ts003 kernel: IPTABLES-LOG IN= OUT=eth0 SRC=192.168.10.71 DST=10.3.32.170
LEN=100 TOS=0x00 PREC=0x00 TTL=63 ID=40206 DF PROTO=TCP SPT=2400 DPT=2512 WINDOW=24820 RES=0x00 ACK
URGP=0
Oct 22 09:17:17 rtr-ts003 kernel: klips_error:ipsec_tunnel_start_xmit: ip_send() failed, err=1
Oct 22 09:17:17 rtr-ts003 Pluto[450]: Can't Opportunistically initiate for 192.168.10.31 to
10.3.32.170: no Opportunistic template
Oct 22 09:17:17 rtr-ts003 kernel: IPTABLES-LOG IN= OUT=eth0 SRC=192.168.10.31 DST=10.3.32.170 LEN=62
TOS=0x00 PREC=0x00 TTL=63 ID=302 DF PROTO=TCP SPT=8101 DPT=3072 WINDOW=24820 RES=0x00 ACK PSH URGP=0
Oct 22 09:17:17 rtr-ts003 kernel: klips_error:ipsec_tunnel_start_xmit: ip_send() failed, err=1
.
.
.
Oct 22 09:17:29 rtr-ts003 kernel: IPTABLES-LOG IN= OUT=eth0 SRC=192.168.10.31 DST=10.3.32.170 LEN=44
TOS=0x00 PREC=0x00 TTL=63 ID=303 DF PROTO=TCP SPT=8101 DPT=3073 WINDOW=24820 RES=0x00 ACK SYN URGP=0
Oct 22 09:17:29 rtr-ts003 kernel: klips_error:ipsec_tunnel_start_xmit: ip_send() failed, err=1
.
.
.
Oct 22 09:18:06 rtr-ts003 kernel: IPTABLES-LOG IN= OUT=eth0 SRC=192.168.10.31 DST=10.3.32.170 LEN=44
TOS=0x00 PREC=0x00 TTL=63 ID=58675 DF PROTO=TCP SPT=8101 DPT=3074 WINDOW=24820 RES=0x00 ACK SYN URGP=0
Oct 22 09:18:06 rtr-ts003 kernel: NET: 2 messages suppressed.
Oct 22 09:18:06 rtr-ts003 kernel: klips_error:ipsec_tunnel_start_xmit: ip_send() failed, err=1
Oct 22 09:18:07 rtr-ts003 kernel: IPTABLES-LOG IN= OUT=eth0 SRC=192.168.10.31 DST=10.3.32.170 LEN=40
TOS=0x00 PREC=0x00 TTL=63 ID=58676 DF PROTO=TCP SPT=8101 DPT=3075 WINDOW=24820 RES=0x00 ACK URGP=0
Oct 22 09:18:08 rtr-ts003 kernel: IPTABLES-LOG IN= OUT=eth0 SRC=192.168.10.31 DST=10.3.32.170 LEN=44
TOS=0x00 PREC=0x00 TTL=63 ID=58677 DF PROTO=TCP SPT=8101 DPT=3075 WINDOW=24820 RES=0x00 ACK SYN URGP=0
.
.
# With ipsec klipsdebug --set tunnel
.
.
Oct 22 11:10:59 rtr-ts003 kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:44 id:64086 DF
frag_off:0 ttl:63 proto:6 (TCP) chk:19457 saddr:192.168.10.31:8101 daddr:10.3.32.170:1208
Oct 22 11:10:59 rtr-ts003 kernel: klips_debug:ipsec_tunnel_start_xmit: checking for local udp/500
IKE packet saddr=c0a80a1f, er=ac100201, daddr=a0320aa, er_dst=0, proto=6 sport=0 dport=0
Oct 22 11:10:59 rtr-ts003 kernel: klips_debug:ipsec_tunnel_start_xmit: Original head,tailroom: 18,20
Oct 22 11:10:59 rtr-ts003 kernel: klips_debug:ipsec_tunnel_start_xmit: PASS: calling dev_queue_xmit
Oct 22 11:10:59 rtr-ts003 kernel: klips_debug:ipsec_tunnel_start_xmit: With hard_header, final
head,tailroom: 18,20
Oct 22 11:10:59 rtr-ts003 kernel: klips_debug:ipsec_tunnel_start_xmit: ...done, calling ip_send() on
device:eth0
Oct 22 11:10:59 rtr-ts003 kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:44 id:64086 DF
frag_off:0 ttl:63 proto:6 (TCP) chk:19457 saddr:192.168.10.31:8101 daddr:10.3.32.170:1208
Oct 22 11:10:59 rtr-ts003 kernel: IPTABLES-LOG IN= OUT=eth0 SRC=192.168.10.31 DST=10.3.32.170 LEN=44
TOS=0x00 PREC=0x00 TTL=63 ID=64086 DF PROTO=TCP SPT=8101 DPT=1208 WINDOW=24820 RES=0x
Oct 22 11:10:59 rtr-ts003 kernel: NET: 5 messages suppressed.
Oct 22 11:10:59 rtr-ts003 kernel: klips_error:ipsec_tunnel_start_xmit: ip_send() failed, err=1
.
.
# With klipsdebug --all
.
.
Oct 22 11:16:31 rtr-ts003 kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:44 id:7027 DF
frag_off:0 ttl:63 proto:6 (TCP) chk:10981 saddr:192.168.10.31:8101 daddr:10.3.32.170:1227
Oct 22 11:16:31 rtr-ts003 kernel: klips_debug:ipsec_findroute: 192.168.10.31->10.3.32.170
Oct 22 11:16:31 rtr-ts003 kernel: klips_debug:rj_match: * See if we match exactly as a host destination
Oct 22 11:16:31 rtr-ts003 kernel: klips_debug:ipsec_findroute: found, points to proto=61, spi=100,
dst=0.
Oct 22 11:16:31 rtr-ts003 kernel: klips_debug:ipsec_tunnel_start_xmit: checking for local udp/500
IKE packet saddr=c0a80a1f, er=ac100201, daddr=a0320aa, er_dst=0, proto=6 sport=0 dport=0
Oct 22 11:16:31 rtr-ts003 kernel: klips_debug:ipsec_tunnel_start_xmit: Original head,tailroom: 18,20
Oct 22 11:16:31 rtr-ts003 kernel: klips_debug:ipsec_tunnel_start_xmit: PASS: calling dev_queue_xmit
Oct 22 11:16:31 rtr-ts003 kernel: klips_debug:ipsec_tunnel_start_xmit: With hard_header, final
head,tailroom: 18,20
Oct 22 11:16:31 rtr-ts003 kernel: klips_debug:ipsec_tunnel_start_xmit: ...done, calling ip_send() on
device:eth0
Oct 22 11:16:31 rtr-ts003 kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:44 id:7027 DF
frag_off:0 ttl:63 proto:6 (TCP) chk:10981 saddr:192.168.10.31:8101 daddr:10.3.32.170:1227
Oct 22 11:16:31 rtr-ts003 kernel: IPTABLES-LOG IN= OUT=eth0 SRC=192.168.10.31 DST=10.3.32.170 LEN=44
TOS=0x00 PREC=0x00 TTL=63 ID=7027 DF PROTO=TCP SPT=8101 DPT=1227 WINDOW=24820 RES=0x0
Oct 22 11:16:31 rtr-ts003 kernel: klips_error:ipsec_tunnel_start_xmit: ip_send() failed, err=1

I think that freeswan could not find the destination (klips_debug:rj_match: * See if we match
exactly as a host destination
Oct 22 11:16:31 rtr-ts003 kernel: klips_debug:ipsec_findroute: found, points to proto=61, spi=100,
dst=0) or ( klips_debug:ipsec_tunnel_start_xmit: checking for local udp/500 IKE packet
saddr=c0a80a1f, er=ac100201, daddr=a0320aa, er_dst=0, proto=6 sport=0 dport=0).
Is this problem known and is there a patch or workaround?

Deleting, unrouting and adding a config doesn't solve the problem, but sometimes it disappears after
some time without any interference.

When the errror occur i found the following lines in /proc/net/ipsec_eroute:

28 192.168.0.0/16 -> 10.3.32.0/24 => tun0x7ba90_at_xyz.ab.uvw.rst
68 192.168.10.31/32 -> 10.3.32.180/32 => %pass

If i delete the second route with "ipsec eroute --del --eraf inet --src 192.168.10.31/32 --dst
10.3.32.180/32 --said %pass" the error is gone.

The error occurs 5 times in 24 hours by 50 tunnels.

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Leonardo A. de Camargo: "[Users] What to do?"
• Previous message: Fraser Campbell: "Re: [Users] FreeS/WAN detection of modified DNS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Tue Nov 05 2002 - 05:20:44 CET